My name is Fred Cate. I am a professor of law, Louis F. Niezer Faculty Fellow, and director of
the Information Law and Commerce Institute at the Indiana University School of Law--
Bloomington, and senior counsel for information law at Ice Miller Donadio & Ryan in Indianapolis. I am testifying today on my own behalf,(1) as someone who has researched, taught, and
written about information law issues generally, and information privacy issues specifically, for
more than a decade.(2)

When I was invited to testify today I was asked to address one question: is new Congressional
action necessary to protect personal privacy in electronic communications? My answer is "no."

This is not to suggest that the extraordinary proliferation of information technologies and growth
in their power and affordability are not presenting important privacy issues, but rather that further
Congressional action is premature and likely to be unnecessary altogether. That conclusion is
based on four related considerations:

1. Rapid Change

First, we are in the midst, not at the end, of the phenomenal technological innovation that is
prompting new concerns about privacy. The World Wide Web, for example, which was first
made available to the public in 1992, is now used by more than one-quarter of the U.S. population, making it the fastest-growing medium in human history. By comparison, it took 38 years for
radio to reach that percentage of Americans, 13 for television, and 10 for cable. And that dramatic growth is continuing. According to the semi-annual Internet Domain Survey released in
January 1998 by Network Wizards, the World Wide Web continues to grow at a dramatic pace.
The survey found 29.7 million hosts in January 1998, up from 26 million just six months earlier--a greater than 26% annual growth rate. Five years ago, the survey found only 1.3 million
hosts.(3)

The nature of the Internet is changing as well. In 1995, World Wide Web hosts designated
".com" for commercial slightly outnumbered those designated ".edu" for educational institutions--the traditional mainstay of the Internet. The most recent survey, however, shows ".com"
sites outnumbering their ".edu" counterparts more than two-to-one.(4) And the disparity may be
even greater, because businesses outside of the United States tend to use the abbreviation of their
country rather than ".com" as part of their web address.

The fact that we are in the midst of rapid, significant change--not just in technologies but also in
the new services, markets, and activities that those technologies are facilitating--argues against
legislative action. This is especially true in a field such as information privacy, in which past
legislation and judicial interpretation have sought to protect "reasonable expectations of
privacy."(5) It is inadvisable to attempt to define "reasonable expectations" of virtually anything
while experiencing such extraordinary change.

2. Expansion of Self-Help and Self-Regulation

Second, in recent years we have witnessed not only an increase in concerns about privacy, but
also a parallel increase in the tools available to consumers to protect their privacy and in the self-regulatory actions of industries responding to consumer demands. As a result, consumers today
have greater opportunities than ever before both to participate in the world around them and to
protect their privacy while doing so.

For example, technological innovations such as adjustable privacy protection settings in both
Netscape and Microsoft Explorer, encryption software, anonymous remailers, and in fact, the
Internet itself all facilitate privacy and individual control over the information we disclose about
ourselves.

Many companies are actively competing for customers by promoting their privacy policies and
practices. If enough consumers demand better privacy protection and back-up that demand, if
necessary, by withdrawing their patronage, virtually all competitive industry sectors are certain to
respond to that market demand. In fact, when competitive markets exist, consumer inquiries
about, and response to, corporate privacy policies are an excellent measure of how much the
society really values privacy.

Industry organizations are increasingly providing standards for privacy protection and help to
consumers whose privacy interests are compromised. The Direct Marketing Association, for
example, operates the Mail Preference Service and the Telephone Preference Service. With a
single request to each it is possible to be removed from most DMA-member company mailing
and telephone solicitation lists. However, although the Mail Preference Service has been available since 1971, the DMA reports that the service is used by approximately two percent of the
U.S. adult population. This suggests that concern over direct mail solicitations is not that great or
that the public is unaware of, or not taking the initiative to use, this free service. A proposed use
of data can hardly be considered unreasonable if the user gives consumers a meaningful opportunity to object to the use and so few do.

Often, industry associations, such as the Information Industry Association and the Interactive
Services Association, have adopted guidelines and principles which may serve as models for
individual company policies. Corporate compliance with privacy standards constitutes an increasingly important accolade in competitive markets, particularly among Internet users. Moreover,
industry associations can help persuade member organizations to adopt and adhere to industry
norms for privacy protection. The DMA, for example, has begun issuing quarterly reports on
members who are being disciplined for violating DMA codes of conduct.

A consortium of privacy advocates and software companies has announced the development of a
service to make privacy self-help easier on the Internet. "TRUSTe" is a program that rates Internet sites according to how well they protect individual privacy. Internet sites that provide
sufficient protection for individual privacy--including not collecting personal information, not
disseminating information to third parties, and not using information for secondary
purposes--earn the right to display the "TRUSTe" logo.(6)

Considerable privacy protection also exists in private agreements. According to the Bankcard
Holders of America Association, merchants are prohibited by their agreement with Visa and
Mastercard from requiring a driver's license or telephone number for a credit transaction.
Similarly, Visa and Mastercard prohibit the merchants with whom they deal from requiring credit
card information to guarantee a check. These restrictions create legal obligations through private
contracts that help protect individuals' privacy.

3. Adequacy of Existing Legal Protection

Third, Congress has already provided legal protection for privacy in key contexts, such as
financial services, and has created in regulatory agencies, prosecutors, and citizens significant
legal rights for protecting individual privacy. The Electronic Communications Privacy Act of
1986(7) is an excellent example. The Act prohibits the interception or disclosure of the contents of
any electronic communication, such as telephone conversations or e-mail, or even of any
conversation in which the participants exhibit "an expectation that such communication is not
subject to interception under circumstances justifying such an expectation."(8) This language
creates significant protection and it is sufficiently flexible to both accommodate new
technologies and permit individual states to experiment with greater protection. For example,
some states have gone beyond the Act's one-party consent rule to require the consent of both
parties if a communication is to be recorded.

Perhaps the best example of the power and flexibility of the current legislative regime is the
authority delegated by Congress to regulatory agencies, such as the Federal Trade Commission.
In the Federal Trade Commission Act, Congress declared unlawful "unfair or deceptive acts or
practices in or affecting commerce"(9) and delegated to the FTC the authority to carry out that
provision. Pursuant to that statutory mandate, the FTC has been actively examining privacy
issues, particularly in the context of the Internet. The FTC has been especially attentive to
privacy issues surrounding computerized databases, electronic look-up services, and children's
use of the Internet. Although those inquiries are on-going, the FTC, operating under its existing
statutory authority, has focused public attention on privacy issues, facilitated the development of
industry self-regulation and codes of conduct, identified key principles for meaningful privacy
protection, and brought pressure to bear on those companies that are inadequately attentive to
consumer privacy issues.

This is not to suggest that there may not at some point in the future be a need for specific,
narrowly targeted legislation to deal with privacy issues involving children or sensitive medical
information, but rather that existing authority created by Congress is sufficient to deal with most
privacy concerns. In short, there is no convincing evidence that new legislation is necessary to
deal with privacy issues in electronic communications.

4. Costs of Overprotecting Privacy

Finally, and most importantly, privacy is not an unmitigated good. As a result, efforts to enhance
personal privacy should always be evaluated in the context of the costs that those efforts pose to
the free flow of information, the development of efficient markets, and the provision of valuable
services especially through the Internet.

The debate over privacy today is fundamentally a debate over control of information. Historically, the United States has accorded enormous protection for privacy through legal respect for
private property, which allows individuals to separate themselves from each other; a vigorous
First Amendment, which permits individuals the privacy of their own thoughts and beliefs; and
unparalleled limits, reflected in the First, Fourth and Fifth Amendments, on government authority
to intrude on private property, to compel testimony, or to interfere with practices closely related
to individual beliefs, such as protest, marriage, family planning, or worship.

As much protection as U.S. law has offered these and other activities, the law has historically
afforded equal protection to the freedom to disclose and disseminate information about such
activities. This freedom is at the core of the First Amendment. It is also at the core of a market-based economy, which depends on the accessibility of information.

While privacy is certainly a necessary element of quality life in modern society, protecting the
privacy or information imposes real costs on individuals and institutions. Privacy facilitates the
dissemination of false information, such as when a job applicant lies about his previous employment, by making discovery of that falsity more difficult or impossible. Privacy similarly protects
the withholding of relevant true information, such as when an airline pilot fails to disclose a
medical condition that might affect job performance. Privacy interferes with the collection, organization, and storage of information on which businesses and other can draw to make rapid,
informed decisions, such as whether to grant credit or accept a check. As these examples suggest,
the costs of privacy may be high. Those costs include both transactional costs incurred by information users seeking to determine the accuracy and completeness of the information they receive,
and the risk of future losses resulting from inaccurate and incomplete information. Privacy therefore may reduce productivity and lead to higher prices for products and services.

Privacy recognizes the right of the individual, as opposed to anyone else, to determine what he
will reveal about himself or herself. As a result, privacy conflicts with other important values
within the society, such as society's interest in facilitating free expression, preventing and punishing crime, protecting private property, and conducting government and commercial operations
efficiently.

To the extent that legal protections and social mores concerning privacy interfere with creating
the systems necessary to acquire and use personal information, privacy may even conflict with
the interest of the persons whose privacy is being protected. If a customer wants credit in a retail
store, but the law prohibits the store owner from obtaining or verifying the credit information
necessary to extend that credit, the customer is inconvenienced, even though he or she may be
willing at that moment and for that purpose, to consent to the disclosure of his or her credit information. If an individual requires emergency medical attention, but privacy laws interfere with the
hospital obtaining his or her medical records, he or she may face greater risks than mere inconvenience. Instant credit, better targeted mass mailings, lower insurance rates, faster service when
ordering merchandise by telephone, special recognition for frequent travelers, and countless other
benefits come only at the expense of some degree of privacy.

I am not suggesting that privacy is inherently evil, but rather that it is not inherently good. The
late Anne Branscomb, author of Who Owns Information?, wrote: "Information is the lifeblood
that sustains political, social, and business decisions."(10) This is especially true in commercial
contexts where, as the Federal Reserve Board noted in its recent report to Congress on privacy,
"it is the freedom to speak, supported by the availability of information and the free-flow of data,
that is the cornerstone of a democratic society and market economy."(11) Protecting privacy inevitably impedes that availability of information and free-flow of data.

This is particularly true in the context of laws affecting electronic communication. The vast majority of information in the industrialized world today is electronic. No form of communication
other than face-to-face conversation and hand-written, hand-delivered messages, escapes the
reach of electronic information technologies. As those exceptions indicate, no communication
that bridges geographic space or is accessible to more than a few people exists today without
some electronic component. And the dominance of electronic communication is growing at an
astonishing pace.

As a result, the regulation of electronic information flows cuts deeply into freedom of expression
and the data necessary for open markets generally. And the dangers inherent in limiting the flow
of information are exacerbated by the rapidly expanding and changing context in which information is created, transmitted, stored, and used. Such restrictions should be avoided if possible.

I believe that it is possible--and desirable--to avoid further restrictions on the accessibility of
information by taking advantage of the legal power that already exists in the hands of citizens,
prosecutors, and regulatory agencies and the technological and market power of consumers.
Efforts by regulators, such as the FTC, and by individual companies and industry groups are
further expanding opportunities for meaningful privacy and are helping to inform consumers
about the practical steps they can take to control the disclosure of private information. These
efforts are uniformly preferable in a democratic society to legal restrictions on information collection and dissemination.

These measures may be fully effective in protecting privacy to the extent compatible with a democratic society and market economy. Or it may ultimately prove necessary to enact additional
laws to strengthen privacy protection. I do not believe that is the case today in the face of expansive change, impressive technological and commercial alternatives for protecting privacy, powerful existing law and regulators, and strong constitutional preference against such restrictions.

Fred H. Cate is a professor of law, Louis F. Niezer Faculty Fellow, and director of the Information Law and Commerce Institute at the Indiana University School of Law--Bloomington. An
internationally recognized expert on information law, Professor Cate is also senior counsel for
information law in the Indianapolis law firm of Ice Miller Donadio & Ryan.

Professor Cate is the author of many articles and books, including Privacy in the Information
Age, which received Honorable Mention as the Association of American Publishers Professional/Scholarly Publishing Division Best New Book in Law 1997, and Sexually Explicit Expression in the Classroom: The Internet, Schools, and the First Amendment, and he is the editor of
Visions of the First Amendment for a New Millennium.

Professor Cate chairs the American Association of University Professors' Intellectual Property
Committee, and he serves as a member of the U.S. Privacy Experts Group, the Privacy Exchange
Advisory Board, and the Committee on Institutional Cooperation's Copyright and Intellectual
Property Committee. He is secretary of the Board of Directors of the Advanced Research and
Technology Institute and faculty advisor to the Federal Communications Law Journal, the official journal of the Federal Communications Bar Association and the nation's oldest communication law journal.

Previously he directed the Electronic Information Privacy and Commerce Study for the Brookings Institution, chaired the Department of Health and Human Services' Working Group on
Intellectual Property in Networked Health Information, and served as a member of the U.S. CongressOffice of Technology Assessment's panel of experts on Global Communications Issues and
Technology and panel of reviewers on International Money Laundering. From 1990 to 1996, he
served as a senior fellow (and from 1991 to 1993, director of research and projects) of The
Annenberg Washington Program in Communications Policy Studies.

Professor Cate writes widely for the popular press--including the Atlantic, Chicago Tribune,
Christian Science Monitor, International Herald Tribune,Los Angeles Times, San Francisco
Chronicle, Wall Street Journal, and Washington Post--and has appeared on CNN, PBS, and
many local television and radio programs. He received his J.D. and his A.B. with Honors and
Distinction from Stanford University. Prior to joining the faculty at Indiana University, he practiced in the Washington, D.C. office of Debevoise & Plimpton. A life member of Phi Beta Kappa
Associates, Professor Cate is listed in Who's Who in American Law.

1. In compliance with House Rule XI, clause 2(g)(4), I certify that I have received no federal
grant, contract, or subcontract in the preceding two fiscal years.

2. I am the author of "Privacy and Telecommunications," forthcoming in the Wake Forest Law
Review; Privacy in the Information Age (Brookings Institution Press, 1997); "The EU Data
Protection Directive, Information Privacy, and the Public Interest," 80 Iowa Law Review 431
(1995); and "The Right to Privacy and the Public's Right to Know: The 'Central Purpose' of the
Freedom of Information Act," 46 Administrative Law Review 41 (1994) (with D. Annette Fields
and James K. McBain). A biographical statement is attached.